Futuristic bracelet uses heartbeats as a password—but is it secure?

Company pairing a wearer's electrocardiogram with a mobile phone makes a lot of promises.

A security startup has unveiled a wearable device that's designed to replace the hassle of passwords by using a person's unique heartbeat signature to log on to computers and unlock car doors. While the device is intriguing, the dearth of key technical details makes it impossible to assess the marketers' promise that it provides "complete security without compromising convenience."

The Nymi is a small bracelet equipped with a sensor that reads the electrocardiogram (ECG) of the person wearing it. Once it has verified that the heart signature belongs to the person who registered it, it provides a means of authentication that can in theory be used to access a virtually endless supply of electronic devices, including airport kiosks, hotel room doors, and sensitive computer networks. It relies on three factors of authentication—that is, two things the user has in the form of the bracelet and a paired mobile device, and one thing the user has in the form of a verified ECG. A slick promotional video shows someone gliding from bed to airports to hotels to cafes, effortlessly logging into devices and unlocking doors without once having to enter a password or procure a key. Sure sounds tempting.

Nymi by Bionym.

Alas, there's not enough information available about the Nymi's inner workings to know if it is truly groundbreaking or another dose of the kind of snake oil that's all too common in the security circuit. Karl Martin, CEO of the Nymi creator Bionym, said the device hasn't yet undergone a formal security audit. That means even he can't say just how impervious it is to the kinds of sophisticated attacks that would inevitably target a universal sign-on gizmo, although he gave some high-level details that are encouraging. That said, there are several classes of hacks that might be used to compromise the security assurances of the device.

The first is what's known as a replay attack. If the attacker is able obtain a person's unique ECG signal and bracelet, the attacker may be able to hook it up to a simple circuit that replays the heartbeat. A variation on this attack is to capture the data packets that the person's bracelet sends during the authentication procedure and use another set of hardware to resend that data. Replay attacks are similar to obtaining a copy of the key to a target's home or office. If the attacker can clone the secret data the user beams to the device he's logging in to, the security of the system can be undermined.

A related hack is known as a relay attack. If a someone uses Nymi to unlock her smartphone while eating in a restaurant, what's stopping a nearby attacker from relaying those signals to unlock the user's car in the parking lot? Yet another closely related hack is to mount a man-in-the-middle attack, in which the attacker sits in between the user bracelet and the device she's logging into. The hacker intercepts the signal her Nymi sends to the computer and sends it himself. The hacker then takes any response sent from the computer and relays it to the user. Once the authentication is complete, it's the attacker who has been authenticated, not the user.

"You're not telling the thing authenticating that it's your computer that you want to authenticate to," said Josh Dustin, who is the director of security at a company called HireVue and an expert in authentication. "So if somebody is able to rebroadcast that to your car... then you can unlock it."

Martin, the Bionym CEO, wrote in an e-mail that the device has been designed to withstand such attacks. Specifically, it uses elliptic curve cryptography to ensure data traveling between the bracelet and the device can't be monitored by anyone else. He also said the encryption secures the handshake performed between the bracelet and the devices being unlocked. Depending on how the technology is implemented, it might make replay attacks infeasible. One possible way to do this is for the car door to send a "challenge" in the form of random data that's encrypted with the users' public key. The car door only unlocks if the user's "response" includes that data after it has been decrypted using the corresponding private key.

A fact sheet goes on to say the Nymi is able to sense the proximity of the device being unlocked, another measure that could help prevent hacking.

What about convenience?

Even if the Nymi is able to withstand sophisticated attacks, there are other important considerations. For one, what happens when a user misplaces either his bracelet or the paired mobile device that has to be nearby when a user first puts on the wristband? Just about everyone loses phones, car keys, or other important devices from time to time. Nymi means a user has two things to hold on to. If either is lost, people will demand a workaround so they can check e-mail and open car doors until the devices are replaced. Engineers have a delicate balancing act ahead of them. Create a temporary measure that's too rigid and users will be furious that they're locked out of their digital domains. Create one too loose, and it will become a loophole that attackers will exploit to bypass the system.

It's also unclear how the device might work in the event that the user has a heart attack or other severe medical condition.

There are plenty of other unanswered questions. For instance, just how unique are ECGs and how hard are they to be passively read by others? For instance, can an ECG be read by other pieces of custom-made jewelry? And how will the databases that store these signatures be maintained in a way that makes them secure but also provides the ubiquity needed to link them to a wealth of devices and services? The device is still available mostly for developers who may want to consider folding it into their third-party products or services. Martin said the company plans to publish technical details in the coming months as the hardware and software designs are finalized. He also said the software development kits made available so the service can be folded into third-party products and services will be open source so the technical underpinnings can be scrutinized.

Until then, readers should consider Nymi an intriguing device that may or may not live up to the lofty promise of providing security without the typical login and authentication headaches.

"This could be a very nice technology and an upgrade over password security for most users," Joe Bonneau, a researcher who recently completed a PhD thesis on passwords and personal identification numbers. "I'd like to see something like this work out. I just hope that they get some security experts to vet this before people trust it for anything important."

Promoted Comments

Please, everyone that reads this, never ever ever ever hint, imply, suggest, or otherwise encourage the use of biometrics (fingerprints, iris scan, or apparently EKG?) as an authentication factor. If you think it's hard to change your password everywhere when there's a breach, just imagine how much harder it would be to get your finger changed too.

The angle Dan didn't seem to address was what happens when the company is hacked and their database is exploited? Can't really send out a mass email telling everyone to change their heart profile, can they?

I also worry about the fifth amendment implications. Giving up a password is at least arguably testimony against yourself (SCOTUS hasn't set precedent), but fingerprints, blood, retinas and presumably heartbeats are fair game.

This seems pointless. If you have to carry around a special device as your password, it does not need to monitor your heart to contain a random ID. It could simply generate a few thousand random bits and use that instead. Even better, it could generate a unique ID for each service and store those within an internal database, making it so that man in the middlesque attacks can only compromise one service at a time. Best of all, you can regenerate stolen passwords. You would probably be able to do all that using less battery power than an ECG reader, it would log you in quicker, and I would imagine be even cheaper to build. - This is the sort of software that I imagine will reign supreme in the wearable computing world.

The only upside I see is that, at least in theory, the biometric side of it means that the bracelet won't work if lost or stolen. Still, that seems like a fairly small benefit for most people.

Seems like at the end of the day, any biometric data-driven password is going to be ones and zeroes at some point over the wire and thus crackable. Maybe not, but that's what makes me uneasy about these devices.

Someone in the comments here made an observation recently that if someone cracks your text-based password, you can always change it. If someone can imitate your fingerprint/retina/etc., that's going to be a lot more difficult to change.

Someone in the comments here made an observation recently that if someone cracks your text-based password, you can always change it. If someone can imitate your fingerprint/retina/etc., that's going to be a lot more difficult to change.

That's ok. If someone manages to imitate your heartbeat you just need to get an artificial heart transplant so that you match everyone else that's gotten one...

At first blush this is better than fingerprint readers and the risk of having your fingers stolen. But I only have one heart and vascular system: I cannot risk someone needing to hack in badly enough that they steal those.

The point about losing the bracelet seems unfair. What if you forget your password? What if you lose your key? No security system can rely on a single unlock method, there always have to be multiple methods. The secondary ones can be less convenient to use though.

I'm not sold on the idea of using only "something you have" with no "something you know" component to electronically protect anything not totally trivial. The combination of "have" and "know" is quite strong. Additionally, good "have" components are variable over time -- ie login tokens that generate a number sequence -- and can be replaced if they are compromised. Biometrics are neither. Try getting a new heartbeat when a fraudster swipes yours.

What aspects of the ECG are unique to an individual and what is the data behind the use of ECG metrics as a personal identifier? I would expect some aspects of the ECG to change depending on whether you are running or walking, what medication you are taking, if you had a heart attack, etc... Other aspects might fall in a narrow range such that not an insignificant number of people might share those attributes.

That's a pretty ugly wristband, too. A risk should be having to fish it out of your pocket and snap it on to pay for stuff because you don't want to always keep it on your wrist since it clashes with your cufflinks.

So, my main concern is less technical and more medical. Some of us have slight irregularities in our heartbeat that manifest at random intervals. Couple that with hypertension, and suddenly I can't unlock anything.

Now, the hypertension can be dealt with by ignoring magnitude of the "blip" and only focusing on the bit stream.

But the non-periodic arrhythmia? That seems much harder...

Also, what about time frame? Does this have to be on your wrist for a certain amount of time prior to being usable? Just once, or every time you use it?

Please, everyone that reads this, never ever ever ever hint, imply, suggest, or otherwise encourage the use of biometrics (fingerprints, iris scan, or apparently EKG?) as an authentication factor. If you think it's hard to change your password everywhere when there's a breach, just imagine how much harder it would be to get your finger changed too.

The angle Dan didn't seem to address was what happens when the company is hacked and their database is exploited? Can't really send out a mass email telling everyone to change their heart profile, can they?

I have a medical condition called Persistent Atrial Fibrillation. My heart rate is all over the map. It does not stay the same for even 10 seconds at a time no matter what my activity level is. - How will this gadget handle that?

I have a medical condition called Persistent Atrial Fibrillation. My heart rate is all over the map. It does not stay the same for even 10 seconds at a time no matter what my activity level is. - How will this gadget handle that?

Sounds like you have the extreme end of my problem. Mine is non-periodic, at a much slower rate, but still, same problem from the POV of this tech, I would think.

Well, yours would never work. Mine would just arbitrarily not work every so often.

The ECG signal is highly variable, getting a diagnostic-quality result requires precise placement of the electrodes directly over the heart in a controlled environment (not touching metal objects, not close to strong sources of EMF) and even then it will change from day to day. And yet these people claim they can get a 'signature' from one electrode on a wrist? There are a host of factors that alter the cable properties of the body and change the shape of the QRS waveform that will be detected at the end of your arm. I just don't see how they can control for those while still producing something secure.

As a former EMT who has seen plenty of ECGs, I wouldn't trust this thing until they get a dozen cardiologists to approve. Even a normal healthy individual can have temporary irregularities. False negatives would worry me just as much as attempts to bypass.

Why don't we just use voiceprints for security? A user could be required to read an arbitrary word or phrase to unlock their smartphone, or to authorize something, or whatever. An arbitrary word/phrase eliminates any possibility of recording someone saying their password and replaying it to unlock a device.

Why don't we just use voiceprints for security? A user could be required to read an arbitrary word or phrase to unlock their smartphone, or to authorize something, or whatever. An arbitrary word/phrase eliminates any possibility of recording someone saying their password and replaying it to unlock a device.

Surely that's within the capabilities of modern smartphones...

If it works how I think you're suggesting it works, it would involve a deep understanding of your personal voice in order to work with it, which would be difficult to analyze on the fly or without tonnes of data to work with. So anyone wanting such password protection would have to read a book outloud for a while in order to get some kind of system to match with. Otherwise when it prompts you to say "Dog", how does it know it's not you saying dog unless you've said it to it before? (I also really don't want to be saying "Purple monkey dishwasher" everytime I need to unlock my phone in the office either)

Anyway, the idea in the article seems like it would break down after the first time I try unlock my car after going for a run.

It requires at least 3 electrodes in specific positions on the chest to obtain a traditional-looking ECG.Even if this device measured 2 points on the wrist to get a single ECG lead, I wouldn't imagine there's much potential difference generated by the heart between those points, and the signal would be more noise than anything else.

Second, I hope you can hold your breath and keep perfectly still for however long this thing records for - or else your 'unique signature' will look suspiciously close to that of someone on the verge of death.

While most people's ECG will end up looking different from others eventually, that uniqueness is really a build up of whatever cardiac insults they've accumulated. I assume that this will be marketed to healthy young people, whose pattern will look decidedly generic.

Please, everyone that reads this, never ever ever ever hint, imply, suggest, or otherwise encourage the use of biometrics (fingerprints, iris scan, or apparently EKG?) as an authentication factor. If you think it's hard to change your password everywhere when there's a breach, just imagine how much harder it would be to get your finger changed too.

The angle Dan didn't seem to address was what happens when the company is hacked and their database is exploited? Can't really send out a mass email telling everyone to change their heart profile, can they?

I also worry about the fifth amendment implications. Giving up a password is at least arguably testimony against yourself (SCOTUS hasn't set precedent), but fingerprints, blood, retinas and presumably heartbeats are fair game.

This seems pointless. If you have to carry around a special device as your password, it does not need to monitor your heart to contain a random ID. It could simply generate a few thousand random bits and use that instead. Even better, it could generate a unique ID for each service and store those within an internal database, making it so that man in the middlesque attacks can only compromise one service at a time. Best of all, you can regenerate stolen passwords. You would probably be able to do all that using less battery power than an ECG reader, it would log you in quicker, and I would imagine be even cheaper to build. - This is the sort of software that I imagine will reign supreme in the wearable computing world.

This seems pointless. If you have to carry around a special device as your password, it does not need to monitor your heart to contain a random ID. It could simply generate a few thousand random bits and use that instead. Even better, it could generate a unique ID for each service and store those within an internal database, making it so that man in the middlesque attacks can only compromise one service at a time. Best of all, you can regenerate stolen passwords. You would probably be able to do all that using less battery power than an ECG reader, it would log you in quicker, and I would imagine be even cheaper to build. - This is the sort of software that I imagine will reign supreme in the wearable computing world.

The only upside I see is that, at least in theory, the biometric side of it means that the bracelet won't work if lost or stolen. Still, that seems like a fairly small benefit for most people.

I don't see a problem with biometrics as an authentication factor as long as they are only used locally.So the band would verify the biometric and then use some other challenge response mechanism to authenticate with everything else.Use the biometric to lock away a private key locally but don't use the biometric data as the private key.

However I would worry about just how reliable this kind of ECG reading would be.

Deet's fantasy bracelet is probably just as handy.You could have it prompt for PIN once a day or after it's been removed, the Nymi claims to have a sensor to detect removal.Mind you then you could remove someones arm as a way to get it without triggering the lock.Security is tricky business.

Problem is the current state of the bluetooth 4 chips and software.A lot of the stacks are absolute shite ( especially TI's cc254x - its a 8051 + bluetooth radio)

Bluetooth4 itself has a very heavy weight protocol over a low bandwidth connection.Fine if you have small amounts of data like heart rate but not good if you have lots of data like eeg/ecg of a decent resolution - better sticking with bluetooth 2 but will take a hit on battery life

This seems pointless. If you have to carry around a special device as your password, it does not need to monitor your heart to contain a random ID. It could simply generate a few thousand random bits and use that instead. Even better, it could generate a unique ID for each service and store those within an internal database, making it so that man in the middlesque attacks can only compromise one service at a time. Best of all, you can regenerate stolen passwords.

You just described the device in the article. Your biometrics are how you authenticate to the braclet, not how it authenticates to the remote service.

The two steps deserve different criticisms, due to independent weaknesses.

This seems pointless. If you have to carry around a special device as your password, it does not need to monitor your heart to contain a random ID. It could simply generate a few thousand random bits and use that instead. Even better, it could generate a unique ID for each service and store those within an internal database, making it so that man in the middlesque attacks can only compromise one service at a time. Best of all, you can regenerate stolen passwords. You would probably be able to do all that using less battery power than an ECG reader, it would log you in quicker, and I would imagine be even cheaper to build. - This is the sort of software that I imagine will reign supreme in the wearable computing world.

There would only be additional benefit if the bracelet also performed medical functions. Generate a quasi-ECG readout that can be sent to an emergency services hotline if you pass out, help them work out whether it's a serious cardiac issue or a simple vasovagal, and determine how quickly an ambulance needs to get to you. Otherwise, it's redundant.

But as a replacement for a car or hotel key it's a great idea. Much harder to clone biometrics than a car key.

As to the guy who posts in every thread telling everyone to rebel against biometrics... That is totally irrelevant. Nobody (who knows what they're doing) is relying on biometrics alone. If you steal the biometrics for every customer that won't get you anything because this wristband appears to have an elliptic curve private key embedded inside.

They will not be storing the ECC private key on their server, so it doesn't matter if someone hacks the server. They need your wristband to impersonate you, I addition to your biometrics

My question is how much does it cost? Does my car manufacturer, the hotel chain and every grocery store in the world need to pay them royalties? That will kill it.

What happens when your health goes bad. You get bronchitis and can't get enough oxygen so your heart beats faster to compensate. Or a burglar breaks into your house and your heart is racing and you can't call 911 because your phone won't unlock. Or you are diabetic and your blood sugar drops and your heart rate slows and again you are locked out of your phone or a door. You have chest pains and can't get to your nitro because your house is locked, and can't call 911 for the same reason. What if a million different things change your heart rate? Medications are stopped or started, you are sleepy or excited. This doesn't seem feasable.

Is it secure? That's not the question, I'm skeptical it'll even be able to identify the same person two days in a row. In fact, if it's a bracelet, you don't even have the benefit of a 3, 12 or 15-lead ECG; you have one lead, if that. So you have minimal detail to start with.

Firstly, a baseline ECG looks fairly similar form person to person. A normal sinus rhythm has a P wave, a T wave and a QRS complex with discrete Q, R or S waves depending on the specific lead. Variations on that are usually bad because they indicate inefficient cardiac function. So any two healthy people will look so similar that the device probably can't reliably differentiate them.

Secondly, your ECG will change constantly. I'm a young, healthy person and as a result, every time I breathe in, the raised intrathoracic pressure compresses my vagus nerves and the heart itself. Those two effects slow the heart rate, and rhythmically increase and then decrease the volume of blood entering the heart, which will also change the ECG as the heart moves in space. From breath to breath, my ECG changes in a way that can't easily be predicted by a bracelet.

Thirdly, any new or resolved arrhythmia will confound it. I might have an implanted defibrillator that fires when I have a run of ventricular tachycardia (VT) above 120 beats per minute. That's normal for me, but it means I'm susceptible to massive changes over time. What if I'm on a beta blocker, but my dose or diet has changed in a way that changes its effect? What if I'm normally on digoxin for atrial fibrillation, but my dose or its effect has change (which is *very* common), altering the visibility of P waves and the pattern of QRS complexes?

Fourthly, even non-cardiac physiology affects the heart. What if I've just run a marathon and my serum potassium is through the roof? Instant arrhythmia. What if I have stable angina, and my chest hurts right now? Same thing. What if I'm stressed out, having an early infarct, wearing the bracelet on the wrong wrist, anything?

I'm completely skeptical that this device can even identify that the same user has used the bracelet two days in a row.